INFORMATION ASSET MANAGEMENT (IAM)

Effective Information Sharing & Security Award

INFORMATION ASSET MANAGEMENT (IAM)

Greater Manchester Combined Authority

Briefly describe the initiative/ project/service; please include your aims and objectives

This initiative aims to establish a group approach to information asset management at GMCA, GMFRS and TfGM that enables us to realise the full potential of our information assets. The core objectives of this work are to:

Enable the delivery of a wider information framework approach from the GMCA-TfGM IG shared service.
Empower directorates/functional areas and teams with the knowledge, tools, and ongoing support to manage their information and data assets effectively.
Embed long term sustained culture and behaviour change to how information and data assets are managed.

Key deliverables of this work include developing information asset owner (IAO) roles across the organisations, developing robust training and guidance for these individuals, and creating intuitive asset registers linked to reliable reporting which enables the organisations to better understand and manage their critical information assets.

What are the key achievements?

The key achievements for this work have been:

• Established the information asset owner and administrator roles across the three organisations, embedding these roles within three distinct organisational cultures.
• Developed and released mandatory IAO training to ensure they have the skills, knowledge and understanding in order effectively carry out these roles. We’ve also developed a virtual staff community where IAOs can share best practice and advice with one another.
• Developed automated processes for changes in IAO roles to be recorded to ensure that new starters in IAO roles receive the support and knowledge they need in order to carry out their responsibilities.
• An information asset register (IAR) and record of processing activities (RoPA) have been developed for each organisation within the group. These registers contain all details relating to our information assets as organisations, as well as our processing activities of personal data. These registers are managed by our information asset owners. This enables us to gain greater understanding of our data assets and where our critical assets might be stored, allowing us to ensure security arrangements and risks are properly managed, whilst also ensuring we uphold the information rights of our data subjects.
• Through the creation of a new dashboard, we can garner greater insights into our assets across the group, allowing us to better link up data sets and identify data that may be of greater business use. For example, from the IAR we are able to track information assets by directorate, see a summary description of the data sets they contain, where they are stored, who is responsible for their management, and security measures implemented to keep them safe.
• We can get the same insights from the RoPA, with additional fields such as numbers of data subjects, whether a DPIA has been created, and whether there are any international transfers involved in the processing activity. This enables the organisation to better managed risks involved with processing personal data, and to better protect the rights of data subjects.
• Creating a consistent approach to the registers across three distinct organisational cultures was a key achievement and we are now seeing the benefits in subsequent change initiatives. For instance, the IDG service recently has begun work to update privacy notices across the group, with the comprehensive registers speeding up the process by summarising processing activities from across the three organisations, saving time and providing important details for the notices.

How Innovative is your initiative?

The IAO roles were completely new to the group organisations. Creating them therefore required the organisations to go through a substantial change process, and for the individuals identified as IAOs, it required them to undergo new training to understand their responsibilities and what the roles entailed.

We took an innovative approach to develop a framework which could be adopted by three distinct partner organisations. Developing an approach to unify training, support and tools across GMCA, GMFRS and TfGM was a challenge, but now has enabled us to work more closely in the areas of information and data governance but aligning our processes and practices, enabling us to work more effectively as a group.

The IAR and RoPA tools were built from scratch after a discovery exercise to understand the most efficient way we could create registers that could be edited by our IAOs, but remain visible and non-editable for the rest of the organisations. We also created a brand-new bespoke training package for IAOs to complete. The starters, movers and leavers automated process required cross working from IDG, HR and Digital in order to create a seamless workflow across different systems to allow the IDG team to be alerted to changes in IAO roles.

Through our new dashboard linked to our registers, we are gaining insights into our data and information that we never had access to before. We are able to see what our critical data assets might be; this not only supports us with business continuity planning in ensuring they have the appropriate protections, but it also enable better visibility of and access to business useful data; data that can support projects and programs across the group.

What are the key learning points?

Information and data governance as a specialist area is often full of technical language, acronyms and jargon. It is also an area that most people in their roles at work do not have frequent insight into. Therefore, communicating the concept of information asset management clearly and to a wide audience in plain English was a challenge to overcome. Iteratively, we have produced guidance, communications and training to the group organisations that is consistent, and where possible, uses straightforward terminology and is adaptable for different audiences. We found this key in developing our approach; if the audience does not understand what you are trying to do, there won’t be sufficient buy-in.

Linked to this, it is important to create an understandable and effective case for change. In any change project, especially one such as this where the outputs can be seen as quite technical and niche, it is important you answer the ‘so what’ question for stakeholders. People are less inclined to support change if they do not see the problem are reason why change is necessary. Therefore, for this work we centred our narrative around the benefits it would bring people in their day-to-day jobs: primarily, the ability to better understand the key data and information sets managed by the organisation, and have improved access to, and visibility of them. This proved more compelling than the equally important but less inspiring need to install best information governance practice across teams and to be watertight on compliance.

Moreover, it cannot be understated how important the human element was for successfully embedding of the information asset management approach. You can create robust systems and processes, however if you have not spent the time with the people you need to adopt the change, they will not be bought into the process, and your success will be limited. We learned not to underestimate the time required to develop training and guidance and to hold sessions with IAOs to ensure expectations and responsibilities were understood, and that people felt confident and involved enough in the change to adopt their new roles.

A final lesson learned was ensuring that the information asset management approach linked tour our broader information and data governance framework as a service. It was important that the IAOs didn’t see their roles or the IARs and RoPAs as separate from this framework. It was a key requirement that the registers linked to other elements such as our data protection impact assessment support and information security, as well as our work around promoting transparency and proactive publication of information and upholding the information rights of citizens. Creating this ‘golden thread’ was crucial in achieving our primary goal in enabling the delivery of a wider information framework approach from the GMCA-TfGM IG shared service.

Additional Comments

We will engage with partners across Greater Manchester around Information Asset Management. In particular, sharing lessons learned, the benefits, and the challenges we faced and how we have overcome them. This is so we can continue to work collaboratively with our partners and champion best practice in terms of information and data governance. This will support our ambitions as part of the Greater Manchester Information Strategy to create a Greater Manchester system to act as one in this area

HOME

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.